The legal system cannot keep up with the complexity rapid change of software. You will end up with one regulation that says you cannot track users, and another regulation that says you have to prove that you are effectively blocking Iran users from using your product. If you log IPs connecting to your severs you'll be accused of tracking users, and if you don't log IPs you'll be accused of not doing your due diligence in confirming you blocked foreign users.
Is this an actual problem or is this a typical knee-jerk argument people make when someone is talking about regulation? (despite the current situation being so bad that it's hard to imagine regulation making it worse)
Regarding your specific example, the GDPR appears to deal with it easily: any data processing to comply with the law is allowed and does not require explicit consent. This seems to work well (of course, the GDPR is bad because it't not being enforced seriously, but if it was, the scenario you describe wouldn't be a problem)
Also, when I talk about regulation, I'm talking about regulating the intent and/or outcome rather than a particular implementation. If you track someone without their explicit consent for the purposes of targeted advertising or marketing you are in breach of the regulation, regardless of whether you obtained that data online, in the real-world (mobile phone tracking, facial recognition, loyalty cards, etc), by using Tarot cards or even a fortune-telling goldfish.
